EP3591893A1 - Method and system for providing security in trusted execution environments - Google Patents
Method and system for providing security in trusted execution environments Download PDFInfo
- Publication number
- EP3591893A1 EP3591893A1 EP19183659.2A EP19183659A EP3591893A1 EP 3591893 A1 EP3591893 A1 EP 3591893A1 EP 19183659 A EP19183659 A EP 19183659A EP 3591893 A1 EP3591893 A1 EP 3591893A1
- Authority
- EP
- European Patent Office
- Prior art keywords
- application
- replicas
- input
- master application
- master
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 42
- 230000006870 function Effects 0.000 claims description 30
- 238000012795 verification Methods 0.000 claims description 15
- 230000010076 replication Effects 0.000 claims description 14
- 230000004931 aggregating effect Effects 0.000 claims description 2
- 238000012545 processing Methods 0.000 description 7
- 239000000654 additive Substances 0.000 description 6
- 230000000996 additive effect Effects 0.000 description 6
- 238000004891 communication Methods 0.000 description 6
- 239000000463 material Substances 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 3
- 238000010586 diagram Methods 0.000 description 2
- 230000006872 improvement Effects 0.000 description 2
- 239000008000 CHES buffer Substances 0.000 description 1
- MKWKNSIESPFAQN-UHFFFAOYSA-N N-cyclohexyl-2-aminoethanesulfonic acid Chemical compound OS(=O)(=O)CCNC1CCCCC1 MKWKNSIESPFAQN-UHFFFAOYSA-N 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003362 replicative effect Effects 0.000 description 1
- 238000007789 sealing Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3234—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
- H04L9/3255—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using group based signatures, e.g. ring or threshold signatures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
- G06F21/121—Restricting unauthorised execution of programs
- G06F21/123—Restricting unauthorised execution of programs by using dedicated hardware, e.g. dongles, smart cards, cryptographic processors, global positioning systems [GPS] devices
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
- H04L9/0897—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage involving additional devices, e.g. trusted platform module [TPM], smartcard or USB
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
Definitions
- the present invention relates to a method and system for providing security in trusted execution environments.
- Trusted Execution Environments e.g., Intel SGX
- TEEs Trusted Execution Environments
- Secret material e.g., cryptographic keys for a given piece of code
- secure mechanisms e.g., sealing and encrypted memory.
- application secret keys can be sealed (i.e., encrypted) at rest with keys only available to the platform hardware.
- the application secret keys are unsealed and made available to the application.
- Encrypted memory ensures that such keys are only available in clear text within the processor and that they are encrypted when written to memory.
- Keys in TEE applications may be used to for different security provisions. For example, a key may be used to sign the output of the application so that external entities can verify the authenticity of the output, i.e., that the output was produced by that specific TEE application. Alternatively, an encryption key may be used to encrypt the output so that it is only available to the intended recipient that holds the corresponding decryption key. Similarly, a key may be used by a TEE application either to decrypt incoming data or to verify its authenticity.
- TEEs including Intel SGX
- Ahmad Moghimi et al. “CacheZoom: How ⁇ SGX ⁇ Amplifies the Power of Cache Attacks”
- CHES 2017 the entire contents of which are hereby incorporated by reference herein
- Marcus Hähnel et al. "High-Resolution Side Channels for Untrusted Operating Systems”
- Usenix ATC 2017 (“Hähnel”) (the entire contents of which are hereby incorporated by reference herein).
- Spectre an attack that leverages speculative execution of processors known as Spectre (see e.g., Paul Kocher et al., "Spectre Attacks: Exploiting Speculative
- a method secures a system that includes an application owner, a master application, and a plurality secure platforms.
- the master application receives from the application owner an application and an input.
- the application is configured to compute a function to calculate an output from the input.
- the master application deploys replicas of the application on a number of the secure platforms.
- the master application establishes a secure channel with each of the replicas, and sends at least a portion of the input to the replicas.
- the master application receives a result calculated by each of the replicas. The result is determined according to the function and the at least the portion of input.
- the master application determines the output based on the result received from each of the replicas; and sends the output to the application owner.
- the present invention provides systems and methods that mitigate consequences of side-channel attacks in trusted execution environments (TEEs).
- TEEs trusted execution environments
- Embodiments of the present invention solve, for example, the problem of leakage of secret material from TEEs, such as Intel SGX, via side-channels.
- TEEs are susceptible to side-channel attacks that may leak secret material, e.g., private keys of an application running in a TEE. Leakage of the private key invalidates any security provisions that relies on the secrecy of such key.
- Embodiments of the present invention provide an improvement over the state of the art by introducing techniques to create side-channel tolerant TEEs. For example, embodiments of the present invention overcome weaknesses of TEE applications related to side-channels by implementing mechanisms that provide desirable security provisions while tolerating side-channels.
- a fundamental precondition of a successful side-channel attack is that the attacker co-locates with the victim, i.e., the victim application and the attacker's code run on the same platform.
- Embodiments of the invention leverage replication and distribution of TEE applications on different platforms to mitigate the effectiveness of side-channel attacks.
- An adversary may still co-locate with some of the platforms where replicas of the victim application are running. The adversary may, therefore, leak the secrets of those application replicas by means of side-channel attacks. Yet, the adversary will not be able to invalidate the security provisions guaranteed by the secret keys of the application replicas, unless the adversary co-locates with all of the application replicas.
- Embodiment of the present invention leverage seamless application replication in conjunction with cryptographic mechanisms to make the TEE applications robust to side-channels attack.
- the application owner provides the code of the TEE application to a master application.
- the master application is a specialized TEE application that takes care of replicating the TEE application over several platforms and of coordinating the cryptographic protocols required.
- An aspect of embodiments of the present invention is that, by using replication and threshold signature schemes, the consequences of a side-channel attack to TEE applications that require authenticated output data are mitigated.
- Another aspect of embodiments of the present invention is that, by using replication and multi-party computation, the consequence of a side-channel attack to TEE applications that require confidential input and output data are mitigated.
- the master application checks that each application replica has returned the same value y .
- the master application then aggregates all partial signatures and forwards y and the aggregated signature to the application owner.
- the latter application owner may verify authenticity of y by verifying the aggregated signature using the verification key received by the master application.
- the adversary must launch a successful side-channel attack on at least t platforms to be able to sign arbitrary data on behalf of the application.
- a master application creates n replicas of the TEE application and distributes each replica on a different platform.
- the master application distributes encryption/decryption keys to the replicas in order to establish point-to-point confidential channels between any pair of replicas and between each replica and the master application.
- the master application may also create a confidential channel with the application owner by means of a shared key. Given the owner supplied input x, the master application computes random additive shares of x and distributes each share to each of the application replicas.
- y f ( x ) .
- Each application replica sends the random additive share of y to the master application.
- the master application recovers y by summing the additive shares and forwards the result to the application owner.
- An embodiment of the present invention provides a method that secures a system that includes an application owner, a master application, and a plurality secure platforms.
- the master application receives from the application owner an application and an input.
- the application computes a function to calculate an output from the input.
- the master application deploys replicas of the application on a number of the secure platforms.
- the master application establishes a secure channel with each of the replicas, and sends at least a portion of the input to the replicas.
- the master application receives a result calculated by each of the replicas. The result is determined according to the function and the at least the portion of input.
- the master application determines the output based on the result received from each of the replicas; and sends the output to the application owner.
- the method may further include: instantiating, by the master application a threshold signature signing scheme.
- the instantiating may include: distributing, by the master application, a respective share of a signing key of the threshold signature signing scheme to each of the replicas; and sending, by the master application, a verification key of the threshold signature signing scheme to the application owner; and receiving, by the master application from each of the replicas, a respective partial signature of the result calculated by the respective one of the replicas, the respective partial signature being based on the respective share of the signing key.
- the master application may send the entire input to each of the replicas.
- the respective result received by the master application for each of the replicas may correspond to the output of the function applied to the input,
- the method may further include: generating, by the master application, a reconstructed signature based on the respective partial signature received from each of the replicas; and outputting, by the master application, the reconstructed signature to the application owner.
- the reconstructed signature may be configured to be verified by the verification key.
- the respective result received by the master application for each of the replicas may be signed with the respective partial signature, and the output may be configured to be verified using the reconstructed signature and the verification key.
- the master application and the secure platforms are instantiated in trusted execution environment enclaves.
- the method may further include receiving, by the master application, a replication parameter.
- the number of replicas and the number of security platforms may each correspond to the replication parameter.
- the number of secure platforms is at least two.
- the method further includes: respectively selecting, by the master application, a key for each pair of the replicas, and respectively sending, by the master application, the respective key to each pair of the replicas.
- the respective key may be configured to enable a secure channel between the respective pair of the replicas.
- the key is a random key.
- the method may further include: splitting, by the master application, the input into shares of the input.
- the at least a portion of the input respectively sent to each of the respective replicas may corresponds to one of the shares of the input.
- the respective result calculated by each of the replicas may be a partial result that is determined according to the function applied to the respective one of the shares of the input.
- the output may be determined by aggregating the partial result respectively received from each of the replicas.
- he function is linear and the respective partial result received is calculated individually the respective one of the replicas.
- the function is non-linear and the respective partial result received is calculated based on a secure multi party protocol between the replicas.
- Another embodiment of the present invention provides a secure platform having a processor coupled to a non-transitory storage memory containing instructions, which when executed by the processor, cause the secure platform to instantiate a master application in a secure enclave, the master application configured to perform the following operations: receive an application and an input, the application configured to compute a function to calculate an output from the input when executed; deploy a plurality of replicas of the application on a number of secure platforms; establish a secure channel with each of the replicas; send at least a portion of the input to the replicas; receive a result calculated by each of the replicas, the result being determined according to the function and the at least the portion of input; determine the output based on the result received from each of the replicas; and send to an application owner, the output.
- the master application can be configured to utilize either a replication and threshold signature scheme or a replication and multi-party computation scheme to protect against side-channel attacks.
- Another embodiment of the present invention provides a non-transitory computer-readable storage medium storing instructions that upon execution cause a master application, instantiated in a secure enclave, to perform the following operations: receive an application and an input, the application configured to compute a function to calculate an output from the input when executed; deploy a plurality of replicas of the application on a number of secure platforms; establish a secure channel with each of the replicas; send at least a portion of the input to the replicas; receive a result calculated by each of the replicas, the result being determined according to the function and the at least the portion of input; determine the output based on the result received from each of the replicas; and send to an application owner, the output.
- An embodiment of the invention is based on the threshold version of the BLS signature scheme. More information on the BLS signature scheme can be found in: Dan Boneh et al., "Short Signatures from the Weil Pairing," ASIACRYPT 2001 , the entirety of which is incorporated by reference herein.
- G be a Gap-Diffie-Hellman group-i.e., a group of prime order p with generator g and pairing operation e:GxG ⁇ G T .
- H be a hash function that maps strings of arbitrary length to elements of G.
- the BLS signature scheme is a triplet of algorithms KeyGen, Sign, Verify, defined as follows:
- Threshold BLS signatures are described in Alexandra Boldyreva, “Threshold Signatures, Multisignatures and Blind Signatures Based on the Gap-Diffie-Hellman-Group Signature Scheme," Public Key Cryptography 2003 (“Boldyreva”), the entire contents of which are incorporated by reference herein.
- Threshold BLS signatures given a BLS signature scheme ( KeyGen, Sign, Verify ) the threshold version has an additional triplet of algorithms: Share, Share-Sign, Reconstruct, defined as follows:
- the dealer then computes n key-shares by calling Share on sk.
- Each key-share is given to a different signer.
- Each signer computes a signature-share on a message m by calling Share-Sign with input its key-share.
- any party Given at least t signature-shares on a message m, any party can reconstruct a valid signature ⁇ on message m by calling Reconstruct.
- the signature output by Reconstruct can be verified with vk by calling Verify.
- the security provisions of the threshold signature scheme guarantee that no coalition of up to t -1 holders of key-shares can produce a valid signature on arbitrary message m .
- FIG. 1 illustrates an embodiment of a system for providing security in a TEE according to the present invention.
- a system 100 may include an application owner 110 in communication with a master application 120, which in turn is in communication with at least one compute device 130 hosting at least one platform P.
- the application owner 110 and master application 120 may also be hosted on compute devices (e.g., personal computers, servers, IoT devices, mobile phones, etc.).
- the application owner 110 provides the master application 120 with a TEE application code A, an input x, and a replication parameter n.
- the master application 120 deploys the application A on the platform P i . This is done by sending a replica of the application A to the platform P i .
- the platform P i installs the application A in a local enclave 140 of the compute device 130 hosting the platform P i .
- the local enclave 140 may be secure enclave such as provided by Intel SGX.
- a i denotes the replica of the application A that runs in an enclave 140 on the platform P i .
- n 3; thus the master application 120 deploys three replicas A 1 - A 3 of the application A individually in the three platforms P 1 - P 3 .
- n is at least two, such that at least two enclaves are used to ensure security against leakage.
- the master application 120 also verifies that a replica A i of the application A is running in an enclave 140 on each platform P i by means of the remote attestation service.
- the remote attestation service For example, an embodiment can use the remote attestation service of Intel SGX.
- Remote attestation also allows the master application 120 and the replica A i of the application A to establish a confidential channel by means of a shared key. Any further communication between the master application 120 and any replica A i of the application A happens over the corresponding confidential channel.
- the master application 120 sets up a threshold signature scheme TS (see e.g., Boldyreva discussing threshold signature schemes) and runs TS.KeyGen to obtain a signing key sk and its corresponding verification key vk.
- the master application 120 calls TS.Share on the signing key sk to generate key-shares sk 1 ,...sk n , and provides each replica A i with a corresponding key-share sk i (1 ⁇ i ⁇ n ).
- the verification key vk is provided to the application owner 100 by the master application 120.
- the master application 120 forwards x to each application replica A i .
- the master application 120 collects ( y, ⁇ i ,..., ⁇ n ), computes a reconstructed signature ⁇ by calling TS.Reconstruct on the partial signatures ⁇ i ,..., ⁇ n , and forwards ( y, ⁇ ) to the application owner 110 who may verify authenticity of the reconstructed signature ⁇ by using the verification key vk.
- FIG. 2 illustrates a method 200 for providing security in trusted execution environments according to an embodiment of the present invention.
- the method 200 secures a trusted execution environment from, inter alia, a side channel attack.
- the method 200 may be operated in a system (such as system 100) that includes at least one application owner (such as application owner 110) at least one master application (such as master application 120), and a plurality of trusted execution environment enabled platforms (such as platform P i ).
- a system such as system 100
- the master application may run on an additional TEE platform (i.e., a master trusted execution environment platform), such as an SGX-enabled platform.
- the master application receives an application binary A and an input x from the application owner (S201).
- the application binary A computes a function f to calculate and output y from the input x.
- the master application deploys n replicas of application binary A over n different secure platforms (S202).
- the secure platforms include trusted execution environment enclaves; for example, the secure platforms may be SGX-enabled platforms.
- the master application attests each replica and establishes a secure channel with each replica of the application binary A (S203).
- the master application instantiates a threshold signature scheme and distributes shares of the signing scheme to the replicas (S204).
- the master application provides the verification key of the threshold signature scheme to the application owner (S205).
- the master application sends the input x to each of the replicas (S206).
- the master application receives each replica's output y and each replica's partial signature (S208).
- the master application aggregates the partial signature into a standard signature (S209).
- the master application sends the output y and the standard signature to the application owner (S210).
- the application owner checks authenticity of the output y by verifying the standard signature using the verification key (S211).
- the application owner 310 provides the master application 320 with a TEE application code A, an input x, and a replication parameter n.
- the master application 320 deploys the application A on the platform P i . This is done by sending a replica of the application A to the platform P i .
- the platform P i installs the application A in a local enclave 340 of the compute device 330 hosting the platform P i .
- a i denotes the replica of the application A that runs in an enclave 340 on the platform P i .
- the master application 320 verifies that the replica A i of the application A is running in an enclave 340 on the platform P i by means of a remote attestation service.
- a remote attestation service provided by Intel SGX.
- Remote attestation also allows the master application 320 and the replica application A i to establish a confidential channel by means of a shared key sk. Any further communication between the master application 320 and any application replica A i happens over the corresponding confidential channel.
- the master application 320 picks at random a key K ij and distributes it to A i and A j . Any further communication between A i and A j happens over the confidential channel established by means of K ij .
- each pair of application replicas A i , A j (1 ⁇ i, j ⁇ n ) may attest each-other by means of the remote attestation service, e.g., the remote attestation service of Intel SGX, in order to establish a confidential channel by means of a shared key. Any further communication between A i and A j happens over the confidential channel established.
- the remote attestation service e.g., the remote attestation service of Intel SGX
- the master application may be considered a trusted entity to act on behalf of the owner.
- f non-linear
- the SPDZ framework can be used (see e.g., Hähnel discussing SPDZ).
- all such triplets can be defined, shared, and distributed by the master application 320 to the application replicas A i . That is, given a random triplet a,b,c, the master application 320 computes n (linear) shares of a as a 1 ,...,a n and sends a i to A i .
- FIG. 4 illustrates a method 400 for providing security in trusted execution environments according to an embodiment of the present invention.
- the method 400 secures a trusted execution environment from, inter alia, a side channel attack.
- the method 400 may be operated in a system (such as system 300) that includes at least one application owner (such as application owner 310) at least one master application (such as master application 320), and a plurality of trusted execution environment enabled platforms (such as platforms P i ).
- a system such as system 300
- the master application may run on an additional SGX-enabled platform.
- the master application receives an application binary A and an input x from the application owner (S401).
- the application binary A computes a function f to calculate and output y from the input x.
- the function f may be linear or non-linear.
- the master application deploys n replicas of application binary A over n different secure platforms (S402).
- the secure platforms include trusted execution environment enclaves; for example, the secure platforms may be SGX-enabled platforms.
- the master application attests each replica and establishes a secure channel with each replica of the application binary A (S403).
- Each pair of replicas establishes a secure connection between them (S404).
- the master application distributes a random key to each pair of replicas for establishing the secure channel (S404a).
- each pair of replicas performs remote attestation to form the secure channel (S404b).
- the master application splits the input x into n additive random shares, and sends a share to each of the replicas (S405).
- Each replica computes its share of the output (S406).
- each replica computes its share of the output separately (S406a).
- all replicas engage in a secure multi-party computation protocol to compute their output shares (S406b). Once the output shares are computed, the output shares are sent to and received by the master application (S407).
- the master application aggregates the output shares to compute the output (S408).
- the master application sends the output to the application owner (S409).
- FIG. 5 is a block diagram of a processing system according to one embodiment for providing a secure trusted execution environment.
- the processing system can be used to implement the system and method described above.
- each of the platforms, the application owner, and master application may be implemented on a processing system such as shown in FIG. 5 .
- Each processing system includes at least one processor 704, such as a central processing unit (CPU) of the computing device or a dedicated special-purpose processor, executes computer executable instructions comprising embodiments of the system for performing the functions and methods described above.
- the computer executable instructions are stored (e.g., locally stored) and accessed from a non-transitory computer readable medium, such as storage 710, which may be a hard drive or flash drive.
- Read Only Memory (ROM) 706 includes computer executable instructions for initializing the processor 704, while the random-access memory (RAM) 708 is the main memory for loading and processing instructions executed by the processor 704.
- the network interface 712 may connect to a wired network or cellular network and to a local area network or wide area network, such as the Internet.
- the recitation of "at least one of A, B and C” should be interpreted as one or more of a group of elements consisting of A, B and C, and should not be interpreted as requiring at least one of each of the listed elements A, B and C, regardless of whether A, B and C are related as categories or otherwise.
- the recitation of "A, B and/or C" or "at least one of A, B or C” should be interpreted as including any singular entity from the listed elements, e.g., A, any subset from the listed elements, e.g., A and B, or the entire list of elements A, B and C.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Radar, Positioning & Navigation (AREA)
- Remote Sensing (AREA)
- Multimedia (AREA)
- Technology Law (AREA)
- Computing Systems (AREA)
- Storage Device Security (AREA)
Abstract
Description
- The present invention relates to a method and system for providing security in trusted execution environments.
- Trusted Execution Environments (TEEs), e.g., Intel SGX, allow for running applications in isolation from other software on the same host. Secret material, e.g., cryptographic keys for a given piece of code, are protected by the platform hardware and managed by secure mechanisms, e.g., sealing and encrypted memory. For example, application secret keys can be sealed (i.e., encrypted) at rest with keys only available to the platform hardware. At runtime, the application secret keys are unsealed and made available to the application. Encrypted memory ensures that such keys are only available in clear text within the processor and that they are encrypted when written to memory.
- Keys in TEE applications may be used to for different security provisions. For example, a key may be used to sign the output of the application so that external entities can verify the authenticity of the output, i.e., that the output was produced by that specific TEE application. Alternatively, an encryption key may be used to encrypt the output so that it is only available to the intended recipient that holds the corresponding decryption key. Similarly, a key may be used by a TEE application either to decrypt incoming data or to verify its authenticity.
- TEEs, including Intel SGX, are vulnerable to side-channel attacks. See, e.g., Ahmad Moghimi et al., "CacheZoom: How {SGX} Amplifies the Power of Cache Attacks," CHES 2017 (the entire contents of which are hereby incorporated by reference herein); Marcus Hähnel et al., "High-Resolution Side Channels for Untrusted Operating Systems," Usenix ATC 2017 ("Hähnel") (the entire contents of which are hereby incorporated by reference herein). Recently, an attack that leverages speculative execution of processors known as Spectre (see e.g., Paul Kocher et al., "Spectre Attacks: Exploiting Speculative
- Execution," CoRR abs/1801.01203 2018 (the entire contents of which are hereby incorporated by reference herein)) was successfully adapted to Intel SGX to leak secrets of a victim TEE application (Guoxing Chen et al., "SgxPectre Attacks: Stealing Intel Secrets from SGX Enclaves via Speculative Execution," CoRR/abs/1802.09085, 2018 (the entire contents of which are hereby incorporated by reference herein)). Once the key has been leaked, any security provisions that relies on the secrecy of that key is invalidated. For example, if the key is used to sign the application output, the adversary may use the leaked key to sign arbitrary data on behalf of the application.
- Patches and architectural changes are periodically issued to mitigate side-channels attacks. However, side-channels are an inherent aspect of platforms where multiple distrusting applications run, and a TEE architecture immune to side-channels is unlikely to appear on the market.
- In an embodiment, a method secures a system that includes an application owner, a master application, and a plurality secure platforms. The master application receives from the application owner an application and an input. The application is configured to compute a function to calculate an output from the input. The master application deploys replicas of the application on a number of the secure platforms. The master application establishes a secure channel with each of the replicas, and sends at least a portion of the input to the replicas. The master application receives a result calculated by each of the replicas. The result is determined according to the function and the at least the portion of input. The master application determines the output based on the result received from each of the replicas; and sends the output to the application owner.
- The present invention will be described in even greater detail below based on the exemplary figures. The invention is not limited to the exemplary embodiments. All features described and/or illustrated herein can be used alone or combined in different combinations in embodiments of the invention. The features and advantages of various embodiments of the present invention will become apparent by reading the following detailed description with reference to the attached drawings which illustrate the following:
-
FIG. 1 illustrates a system implementing an embodiment of the present invention; -
FIG. 2 illustrates a method according to an embodiment of the present invention; -
FIG. 3 illustrates another system implementing an embodiment of the present invention; -
FIG. 4 illustrates another method according to an embodiment of the present invention; and -
FIG. 5 is a block diagram of a processing system according to one embodiment of the present invention. - The present invention provides systems and methods that mitigate consequences of side-channel attacks in trusted execution environments (TEEs). Embodiments of the present invention solve, for example, the problem of leakage of secret material from TEEs, such as Intel SGX, via side-channels.
- TEEs are susceptible to side-channel attacks that may leak secret material, e.g., private keys of an application running in a TEE. Leakage of the private key invalidates any security provisions that relies on the secrecy of such key. Despite a number of patches and architectural improvements aimed at countering side-channel attacks thus far available, it is unlikely that a traditional TEE immune to side-channels will be feasible in the near future. Embodiments of the present invention, however, provide an improvement over the state of the art by introducing techniques to create side-channel tolerant TEEs. For example, embodiments of the present invention overcome weaknesses of TEE applications related to side-channels by implementing mechanisms that provide desirable security provisions while tolerating side-channels.
- A fundamental precondition of a successful side-channel attack is that the attacker co-locates with the victim, i.e., the victim application and the attacker's code run on the same platform. Embodiments of the invention, however, leverage replication and distribution of TEE applications on different platforms to mitigate the effectiveness of side-channel attacks. An adversary may still co-locate with some of the platforms where replicas of the victim application are running. The adversary may, therefore, leak the secrets of those application replicas by means of side-channel attacks. Yet, the adversary will not be able to invalidate the security provisions guaranteed by the secret keys of the application replicas, unless the adversary co-locates with all of the application replicas.
- Embodiments of the current invention are discussed below in connection with a scenario where an application owner deploys a TEE application to compute a function f over owner-supplied inputs. That is, the TEE application computes and outputs y = f(x) where x is the input supplied by the application owner.
- Embodiment of the present invention leverage seamless application replication in conjunction with cryptographic mechanisms to make the TEE applications robust to side-channels attack. In example embodiments, the application owner provides the code of the TEE application to a master application. The master application is a specialized TEE application that takes care of replicating the TEE application over several platforms and of coordinating the cryptographic protocols required.
- An aspect of embodiments of the present invention is that, by using replication and threshold signature schemes, the consequences of a side-channel attack to TEE applications that require authenticated output data are mitigated.
- Another aspect of embodiments of the present invention is that, by using replication and multi-party computation, the consequence of a side-channel attack to TEE applications that require confidential input and output data are mitigated.
- For the present discussion, consider the scenario where the application owner requires the TEE application output to be authenticated by means of a signature scheme. In an embodiment of the present invention, the master application creates n replicas of the TEE application and distributes each replica on a different platform (e.g., a TEE enclave of a different platform). Further, the master application instantiates a t-out-of-n threshold signature scheme and provides each application replica with a share of the signing key. The corresponding verification key is supplied to the application owner. Each application replica receives the owner supplied input x, computes y = f(x), and uses its share of the signing key to compute a partial signature on y. Each application replica sends y and the partial signature to the master application. The master application checks that each application replica has returned the same value y. The master application then aggregates all partial signatures and forwards y and the aggregated signature to the application owner. The latter application owner may verify authenticity of y by verifying the aggregated signature using the verification key received by the master application.
- As such, the adversary must launch a successful side-channel attack on at least t platforms to be able to sign arbitrary data on behalf of the application. In deployments, the threshold t of the signature scheme may be set to the number of platforms available (i.e., t = n), so that the adversary must launch a successful side-channel attack on all of the platforms in order to sign data on behalf of the TEE application.
- In another embodiment, consider a scenario where the application owner requires input/output confidentiality by means of an encryption/decryption key. Here, a master application creates n replicas of the TEE application and distributes each replica on a different platform. The master application distributes encryption/decryption keys to the replicas in order to establish point-to-point confidential channels between any pair of replicas and between each replica and the master application. The master application may also create a confidential channel with the application owner by means of a shared key. Given the owner supplied input x, the master application computes random additive shares of x and distributes each share to each of the application replicas. The n replicas engage in a secure multi-party computation protocol so that each replica computes a random additive share of y = f(x). See Ivan Damgård et al., Multiparty Computation from Somewhat Homomorphic Encryption, CRYPTO 2012 (discussing multi-party computation, the entire contents of which are hereby incorporated by reference herein). Each application replica sends the random additive share of y to the master application. The master application recovers y by summing the additive shares and forwards the result to the application owner.
- Since each application instance receives a random share of the input x, an adversary that successfully compromises the secret keys of up to n-1 replicas, does not learn any information on x. Further, because of the security provisions of secure multi-party computation, an adversary that compromises the secret keys of up to n-1 replicas learns nothing about y.
- An embodiment of the present invention provides a method that secures a system that includes an application owner, a master application, and a plurality secure platforms. The master application receives from the application owner an application and an input. The application computes a function to calculate an output from the input. The master application deploys replicas of the application on a number of the secure platforms. The master application establishes a secure channel with each of the replicas, and sends at least a portion of the input to the replicas. The master application receives a result calculated by each of the replicas. The result is determined according to the function and the at least the portion of input. The master application determines the output based on the result received from each of the replicas; and sends the output to the application owner.
- The method may further include: instantiating, by the master application a threshold signature signing scheme. The instantiating may include: distributing, by the master application, a respective share of a signing key of the threshold signature signing scheme to each of the replicas; and sending, by the master application, a verification key of the threshold signature signing scheme to the application owner; and receiving, by the master application from each of the replicas, a respective partial signature of the result calculated by the respective one of the replicas, the respective partial signature being based on the respective share of the signing key.
- The master application may send the entire input to each of the replicas. The respective result received by the master application for each of the replicas may correspond to the output of the function applied to the input,
- The method may further include: generating, by the master application, a reconstructed signature based on the respective partial signature received from each of the replicas; and outputting, by the master application, the reconstructed signature to the application owner. The reconstructed signature may be configured to be verified by the verification key. The respective result received by the master application for each of the replicas may be signed with the respective partial signature, and the output may be configured to be verified using the reconstructed signature and the verification key.
- In an embodiment, the master application and the secure platforms are instantiated in trusted execution environment enclaves.
- The method may further include receiving, by the master application, a replication parameter. The number of replicas and the number of security platforms may each correspond to the replication parameter.
- In an embodiment, the number of secure platforms is at least two.
- In an embodiment, the method further includes: respectively selecting, by the master application, a key for each pair of the replicas, and respectively sending, by the master application, the respective key to each pair of the replicas. The respective key may be configured to enable a secure channel between the respective pair of the replicas. In an embodiment, the key is a random key.
- The method may further include: splitting, by the master application, the input into shares of the input. The at least a portion of the input respectively sent to each of the respective replicas may corresponds to one of the shares of the input. The respective result calculated by each of the replicas may be a partial result that is determined according to the function applied to the respective one of the shares of the input. The output may be determined by aggregating the partial result respectively received from each of the replicas.
- According to an embodiment, he function is linear and the respective partial result received is calculated individually the respective one of the replicas.
- In an embodiment, the function is non-linear and the respective partial result received is calculated based on a secure multi party protocol between the replicas.
- Another embodiment of the present invention provides a secure platform having a processor coupled to a non-transitory storage memory containing instructions, which when executed by the processor, cause the secure platform to instantiate a master application in a secure enclave, the master application configured to perform the following operations: receive an application and an input, the application configured to compute a function to calculate an output from the input when executed; deploy a plurality of replicas of the application on a number of secure platforms; establish a secure channel with each of the replicas; send at least a portion of the input to the replicas; receive a result calculated by each of the replicas, the result being determined according to the function and the at least the portion of input; determine the output based on the result received from each of the replicas; and send to an application owner, the output.
- The master application can be configured to utilize either a replication and threshold signature scheme or a replication and multi-party computation scheme to protect against side-channel attacks.
- Another embodiment of the present invention provides a non-transitory computer-readable storage medium storing instructions that upon execution cause a master application, instantiated in a secure enclave, to perform the following operations: receive an application and an input, the application configured to compute a function to calculate an output from the input when executed; deploy a plurality of replicas of the application on a number of secure platforms; establish a secure channel with each of the replicas; send at least a portion of the input to the replicas; receive a result calculated by each of the replicas, the result being determined according to the function and the at least the portion of input; determine the output based on the result received from each of the replicas; and send to an application owner, the output.
- An embodiment of the invention is based on the threshold version of the BLS signature scheme. More information on the BLS signature scheme can be found in: Dan Boneh et al., "Short Signatures from the Weil Pairing," ASIACRYPT 2001 , the entirety of which is incorporated by reference herein.
- For a BLS signature scheme, let G be a Gap-Diffie-Hellman group-i.e., a group of prime order p with generator g and pairing operation e:GxG→G T . Further, let H be a hash function that maps strings of arbitrary length to elements of G. The BLS signature scheme is a triplet of algorithms KeyGen, Sign, Verify, defined as follows:
- KeyGen picks a random x in Z p*, computes, and returns verification key vk= g x and signing key sk=x.
- Sign takes as input a signing key sk and a message m, computes σ=H(m)sk and returns σ.
- Verify takes as input a verification key vk, a message m and a signature σ, and it returns 1 if e(σ,g)=e(H(m),vk) or 0 otherwise.
- Threshold BLS signatures are described in Alexandra Boldyreva, "Threshold Signatures, Multisignatures and Blind Signatures Based on the Gap-Diffie-Hellman-Group Signature Scheme," Public Key Cryptography 2003 ("Boldyreva"), the entire contents of which are incorporated by reference herein.
- For Threshold BLS signatures, given a BLS signature scheme (KeyGen, Sign, Verify) the threshold version has an additional triplet of algorithms: Share, Share-Sign, Reconstruct, defined as follows:
- Share picks as an input a signing key sk and two values t, n where t ≤ n. It outputs n random key-shares sk 1,...sk n computed as follows. Pick at random t-1 coefficients a 1,...,a t-1 to define polynomial p(x) = sk + a 1 x +a 2 x 2 +...a t-1 x t-1. Set sk i=p(i) for (≤ i ≤ n). If t = n, then sk 1 ,...sk n-1 are chosen at random and sk n is set to sk n = sk - (sk 1 +...+ sk n)
- Share-Sign takes as an input a key-share sk i and a message m, computes σ i = H(m)sk i and returns a signature-share σ i.
- Reconstruct takes as an input a set R of at least t signature-shares on a message m and outputs a signature σ = Πi∈R(σ i Li) where L i is the appropriate Lagrange coefficient. If t = n, then we require |R|= n and the signature is computed as σ = Πi∈R(σ i)
- Here, one designated party-known as the dealer-computes a key pair sk,vk by calling KeyGen. The dealer then computes n key-shares by calling Share on sk. Each key-share is given to a different signer. Each signer computes a signature-share on a message m by calling Share-Sign with input its key-share. Given at least t signature-shares on a message m, any party can reconstruct a valid signature σ on message m by calling Reconstruct. The signature output by Reconstruct can be verified with vk by calling Verify.
- The security provisions of the threshold signature scheme guarantee that no coalition of up to t-1 holders of key-shares can produce a valid signature on arbitrary message m.
-
FIG. 1 illustrates an embodiment of a system for providing security in a TEE according to the present invention. As shown inFIG. 1 , asystem 100 may include anapplication owner 110 in communication with amaster application 120, which in turn is in communication with at least onecompute device 130 hosting at least one platform P. Theapplication owner 110 andmaster application 120 may also be hosted on compute devices (e.g., personal computers, servers, IoT devices, mobile phones, etc.). - In one embodiment of the invention, the
application owner 110 provides themaster application 120 with a TEE application code A, an input x, and a replication parameter n. - For 1 ≤ i ≤ n, the
master application 120 deploys the application A on the platform P i. This is done by sending a replica of the application A to the platform P i. The platform P i., in turn, installs the application A in alocal enclave 140 of thecompute device 130 hosting the platform P i. According to an embodiment, thelocal enclave 140 may be secure enclave such as provided by Intel SGX. A i denotes the replica of the application A that runs in anenclave 140 on the platform P i . As shown in the embodiment ofFIG. 1 , n = 3; thus themaster application 120 deploys three replicas A 1-A 3 of the application A individually in the three platforms P 1-P 3. - According to an embodiment, n is at least two, such that at least two enclaves are used to ensure security against leakage.
- The
master application 120 also verifies that a replica A i of the application A is running in anenclave 140 on each platform Pi by means of the remote attestation service. For example, an embodiment can use the remote attestation service of Intel SGX. Remote attestation also allows themaster application 120 and the replica A i of the application A to establish a confidential channel by means of a shared key. Any further communication between themaster application 120 and any replica A i of the application A happens over the corresponding confidential channel. - The
master application 120 sets up a threshold signature scheme TS (see e.g., Boldyreva discussing threshold signature schemes) and runs TS.KeyGen to obtain a signing key sk and its corresponding verification key vk. Themaster application 120 calls TS.Share on the signing key sk to generate key-shares sk 1 ,...sk n , and provides each replica A i with a corresponding key-share sk i(1 ≤ i ≤ n). The verification key vk is provided to theapplication owner 100 by themaster application 120. - The
master application 120 forwards x to each application replica A i. Each application replica A i computes y = f(x), and uses its key-share sk i to sign the outcome of its computation by calling TS.Share-Sign. That is, each application replica A i outputs (y, σ i), where σ i is a partial signature over y computed by using sk i. - The
master application 120 collects (y, σ i,..., σ n), computes a reconstructed signature σ by calling TS.Reconstruct on the partial signatures σ i,..., σ n, and forwards (y, σ) to theapplication owner 110 who may verify authenticity of the reconstructed signature σ by using the verification key vk. -
FIG. 2 illustrates amethod 200 for providing security in trusted execution environments according to an embodiment of the present invention. In particular, themethod 200 secures a trusted execution environment from, inter alia, a side channel attack. Themethod 200 may be operated in a system (such as system 100) that includes at least one application owner (such as application owner 110) at least one master application (such as master application 120), and a plurality of trusted execution environment enabled platforms (such as platform P i). For example, there can be n SGX-enabled platforms, which may be at the application owner's premises or remote. Also, the master application may run on an additional TEE platform (i.e., a master trusted execution environment platform), such as an SGX-enabled platform. - In the method, the master application receives an application binary A and an input x from the application owner (S201). In an embodiment, the application binary A computes a function f to calculate and output y from the input x.
- The master application deploys n replicas of application binary A over n different secure platforms (S202). The secure platforms include trusted execution environment enclaves; for example, the secure platforms may be SGX-enabled platforms.
- The master application attests each replica and establishes a secure channel with each replica of the application binary A (S203).
- The master application instantiates a threshold signature scheme and distributes shares of the signing scheme to the replicas (S204). The master application provides the verification key of the threshold signature scheme to the application owner (S205).
- The master application sends the input x to each of the replicas (S206).
- Each replica computes the output, i.e., y = f(x), and computes a partial signature of the output y using its share of the signing key (S207).
- The master application receives each replica's output y and each replica's partial signature (S208).
- The master application aggregates the partial signature into a standard signature (S209).
- The master application sends the output y and the standard signature to the application owner (S210).
- The application owner checks authenticity of the output y by verifying the standard signature using the verification key (S211).
- Referring to
FIG. 3 , another embodiment of asystem 300 according to the invention is illustrated. In thesystem 300, theapplication owner 310 provides themaster application 320 with a TEE application code A, an input x, and a replication parameter n. - For 1 ≤ i ≤ n, the
master application 320 deploys the application A on the platform P i. This is done by sending a replica of the application A to the platform P i. The platform P i, in turn, installs the application A in alocal enclave 340 of thecompute device 330 hosting the platform P i. A i denotes the replica of the application A that runs in anenclave 340 on the platform P i. - The
master application 320 verifies that the replica A i of the application A is running in anenclave 340 on the platform P i by means of a remote attestation service. For example, an embodiment can use the remote attestation service provided by Intel SGX. Remote attestation also allows themaster application 320 and the replica application A i to establish a confidential channel by means of a shared key sk. Any further communication between themaster application 320 and any application replica A i happens over the corresponding confidential channel. - For each pair of application replicas A i, A j (1 ≤ i, j ≤ n), the
master application 320 picks at random a key K ij and distributes it to A i and A j. Any further communication between A i and A j happens over the confidential channel established by means of K ij. - According to another embodiment, each pair of application replicas A i, Aj (1 ≤ i, j≤n) may attest each-other by means of the remote attestation service, e.g., the remote attestation service of Intel SGX, in order to establish a confidential channel by means of a shared key. Any further communication between A i and A j happens over the confidential channel established.
- In an embodiment, the
master application 320 splits x in n additive random shares x 1,...,x n. This can be done, for example, by picking x 1,...,x n-1 at random and then setting x n = x-(x 1 +...+ x n-1). Themaster application 320 sends share x i to application replica A i. - If f is linear, e.g., f = ax + b, then each replica A i computes y' i = f'(x i)=ax i , and outputs y' i . The
master application 320 computes y = Σi=1,...,n y'i + b and sends it to theapplication owner 310. Here, the master application may be considered a trusted entity to act on behalf of the owner. - If f is non-linear, then all application replicas A i engage in a secure multi-party computation protocol to compute linear shares of y = f(x). For example, the SPDZ framework can be used (see e.g., Hähnel discussing SPDZ). The SPDZ framework uses an offline phase where parties must compute shares of triplet a,b,c such that c = ab. In settings of embodiments, all such triplets can be defined, shared, and distributed by the
master application 320 to the application replicas A i . That is, given a random triplet a,b,c, themaster application 320 computes n (linear) shares of a as a 1 ,...,a n and sends a i to A i. The same approach is used to compute and distribute shares of b and c. Once all triplets have been shared across the application replicas A i, all of them move to the online phase of the SPDZ protocol to compute shares of y. Here, y' i is the share of y held by the application replica A i at the end of the online phase of the SPDZ protocol. A i sends y' i to themaster application 320. Themaster application 320 aggregates (i.e., sums) all y' i (1 ≤ i ≤ n) to recover y and forwards it to theapplication owner 310. -
FIG. 4 illustrates amethod 400 for providing security in trusted execution environments according to an embodiment of the present invention. In particular, themethod 400 secures a trusted execution environment from, inter alia, a side channel attack. Themethod 400 may be operated in a system (such as system 300) that includes at least one application owner (such as application owner 310) at least one master application (such as master application 320), and a plurality of trusted execution environment enabled platforms (such as platforms P i). For example, there can be n SGX-enabled platforms, which may be at the application owner's premises or remote. Also, the master application may run on an additional SGX-enabled platform. - In the method, the master application receives an application binary A and an input x from the application owner (S401). In an embodiment, the application binary A computes a function f to calculate and output y from the input x. The function f may be linear or non-linear.
- The master application deploys n replicas of application binary A over n different secure platforms (S402). The secure platforms include trusted execution environment enclaves; for example, the secure platforms may be SGX-enabled platforms.
- The master application attests each replica and establishes a secure channel with each replica of the application binary A (S403).
- Each pair of replicas establishes a secure connection between them (S404). In an embodiment, the master application distributes a random key to each pair of replicas for establishing the secure channel (S404a). In an embodiment, each pair of replicas performs remote attestation to form the secure channel (S404b).
- The master application splits the input x into n additive random shares, and sends a share to each of the replicas (S405).
- Each replica computes its share of the output (S406). When the function f is linear, then each replica computes its share of the output separately (S406a). When the function f is non-linear, then all replicas engage in a secure multi-party computation protocol to compute their output shares (S406b). Once the output shares are computed, the output shares are sent to and received by the master application (S407).
- The master application aggregates the output shares to compute the output (S408).
- The master application sends the output to the application owner (S409).
-
FIG. 5 is a block diagram of a processing system according to one embodiment for providing a secure trusted execution environment. The processing system can be used to implement the system and method described above. For example, each of the platforms, the application owner, and master application may be implemented on a processing system such as shown inFIG. 5 . Each processing system includes at least oneprocessor 704, such as a central processing unit (CPU) of the computing device or a dedicated special-purpose processor, executes computer executable instructions comprising embodiments of the system for performing the functions and methods described above. In embodiments, the computer executable instructions are stored (e.g., locally stored) and accessed from a non-transitory computer readable medium, such asstorage 710, which may be a hard drive or flash drive. Read Only Memory (ROM) 706 includes computer executable instructions for initializing theprocessor 704, while the random-access memory (RAM) 708 is the main memory for loading and processing instructions executed by theprocessor 704. Thenetwork interface 712 may connect to a wired network or cellular network and to a local area network or wide area network, such as the Internet. - While the invention has been illustrated and described in detail in the drawings and foregoing description, such illustration and description are to be considered illustrative or exemplary and not restrictive. It will be understood that changes and modifications may be made by those of ordinary skill within the scope of the following claims. In particular, the present invention covers further embodiments with any combination of features from different embodiments described above and below. Additionally, statements made herein characterizing the invention refer to an embodiment of the invention and not necessarily all embodiments.
- The terms used in the claims should be construed to have the broadest reasonable interpretation consistent with the foregoing description. For example, the use of the article "a" or "the" in introducing an element should not be interpreted as being exclusive of a plurality of elements. Likewise, the recitation of "or" should be interpreted as being inclusive, such that the recitation of "A or B" is not exclusive of "A and B," unless it is clear from the context or the foregoing description that only one of A and B is intended. Further, the recitation of "at least one of A, B and C" should be interpreted as one or more of a group of elements consisting of A, B and C, and should not be interpreted as requiring at least one of each of the listed elements A, B and C, regardless of whether A, B and C are related as categories or otherwise. Moreover, the recitation of "A, B and/or C" or "at least one of A, B or C" should be interpreted as including any singular entity from the listed elements, e.g., A, any subset from the listed elements, e.g., A and B, or the entire list of elements A, B and C.
Claims (15)
- A method for securing a system comprising an application owner, a master application, and a plurality secure platforms, the method comprising:receiving, by the master application from the application owner, an application and an input, the application configured to compute a function to calculate an output from the input when executed;deploying, by the master application, a plurality of replicas of the application on a number of the secure platforms;establishing, by the master application, a secure channel with each of the replicas;sending, by the master application, at least a portion of the input to the replicas;receiving, by the master application, a result calculated by each of the replicas, the result being determined according to the function and the at least the portion of input;determining, by the master application, the output based on the result received from each of the replicas; andsending, by the master application to the application owner, the output.
- The method according to claim 1, the method further comprising:instantiating, by the master application a threshold signature signing scheme, the instantiating comprising:distributing, by the master application, a respective share of a signing key of the threshold signature signing scheme to each of the replicas; andsending, by the master application, a verification key of the threshold signature signing scheme to the application owner; andreceiving, by the master application from each of the replicas, a respective partial signature of the result calculated by the respective one of the replicas, the respective partial signature being based on the respective share of the signing key;
- The method according to claim 1 or 2,
wherein the master application sends the entire input to each of the replicas, and
wherein the respective result received by the master application for each of the replicas corresponds to the output of the function applied to the input, - The method according to claim 2, the method further comprising:generating, by the master application, a reconstructed signature based on the respective partial signature received from each of the replicas; andoutputting, by the master application, the reconstructed signature to the application owner,wherein the reconstructed signature is configured to be verified by the verification key,wherein the respective result received by the master application for each of the replicas is signed with the respective partial signature, andwherein the output is configured to be verified using the reconstructed signature and the verification key.
- The method according to any of claims 1 to 4, wherein the master application and the secure platforms are instantiated in trusted execution environment enclaves.
- The method according to any of claims 1 to 5, the method further comprising:receiving, by the master application, a replication parameter,wherein the number of replicas and the number of security platforms each correspond to the replication parameter.
- The method according to any of claims 1 to 6, wherein the number of secure platforms is at least two.
- The method according to any of claims 1 to 7, the method further comprising:respectively selecting, by the master application, a key for each pair of the replicas, andrespectively sending, by the master application, the respective key to each pair of the replicas,the respective key being configured to enable a secure channel between the respective pair of the replicas.
- The method according to claim 8, wherein the key is a random key.
- The method according to any of claims 1 to 9, the method further comprising:splitting, by the master application, the input into shares of the input,wherein the at least a portion of the input respectively sent to each of the respective replicas corresponds to one of the shares of the input, andwherein the respective result calculated by each of the replicas is a partial result that is determined according to the function applied to the respective one of the shares of the input;wherein the output is determined by aggregating the partial result respectively received from each of the replicas.
- The method according to claim 10, wherein the function is linear and the respective partial result received is calculated individually the respective one of the replicas.
- The method according to claim 10, wherein the function is non-linear and the respective partial result received is calculated based on a secure multi party protocol between the replicas.
- A secure platform comprising a processor coupled to a non-transitory storage memory containing instructions, which when executed by the processor, cause the secure platform to instantiate a master application in a secure enclave, the master application configured to perform the following operations:receive an application and an input, the application configured to compute a function to calculate an output from the input when executed;deploy a plurality of replicas of the application on a number of secure platforms;establish a secure channel with each of the replicas;send at least a portion of the input to the replicas;receive a result calculated by each of the replicas, the result being determined according to the function and the at least the portion of input;determine the output based on the result received from each of the replicas; andsend to an application owner, the output.
- The secure platform according to claim 13, wherein the master application is configured to utilize either a replication and threshold signature scheme or a replication and multi-party computation scheme to protect against side-channel attacks.
- A non-transitory computer-readable storage medium storing instructions that upon execution cause a master application, instantiated in a secure enclave, to perform the following operations:receive an application and an input, the application configured to compute a function to calculate an output from the input when executed;deploy a plurality of replicas of the application on a number of secure platforms;establish a secure channel with each of the replicas;send at least a portion of the input to the replicas;receive a result calculated by each of the replicas, the result being determined according to the function and the at least the portion of input;determine the output based on the result received from each of the replicas; andsend to an application owner, the output.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US201862694477P | 2018-07-06 | 2018-07-06 | |
US16/454,136 US11362841B2 (en) | 2018-07-06 | 2019-06-27 | Method and system for providing security in trusted execution environments |
Publications (2)
Publication Number | Publication Date |
---|---|
EP3591893A1 true EP3591893A1 (en) | 2020-01-08 |
EP3591893B1 EP3591893B1 (en) | 2021-03-17 |
Family
ID=67211512
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP19183659.2A Active EP3591893B1 (en) | 2018-07-06 | 2019-07-01 | Method and system for providing security in trusted execution environments |
Country Status (2)
Country | Link |
---|---|
US (1) | US11362841B2 (en) |
EP (1) | EP3591893B1 (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20220245237A1 (en) * | 2021-02-04 | 2022-08-04 | NEC Laboratories Europe GmbH | Clone application detection mechanism for securing trusted execution environments against a malicious operating system |
Families Citing this family (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11362841B2 (en) * | 2018-07-06 | 2022-06-14 | Nec Corporation | Method and system for providing security in trusted execution environments |
US20220158856A1 (en) * | 2019-04-01 | 2022-05-19 | Telefonaktiebolaget Lm Ericsson (Publ) | Attestation of trusted execution environments |
US11811933B2 (en) | 2019-11-27 | 2023-11-07 | Visa International Service Association | System and method for fair, secure n-party computation using at least one blockchain |
US10924460B2 (en) * | 2019-12-13 | 2021-02-16 | TripleBlind, Inc. | Systems and methods for dividing filters in neural networks for private data computations |
US12099997B1 (en) | 2020-01-31 | 2024-09-24 | Steven Mark Hoffberg | Tokenized fungible liabilities |
CN115088003B (en) * | 2020-12-11 | 2023-10-31 | 维萨国际服务协会 | Systems, methods, and computer program products for secure real-time N-party computing |
US12069055B2 (en) * | 2021-12-08 | 2024-08-20 | Intel Corporation | Mechanism for managing services to network endpoint devices |
IL292083A (en) * | 2022-04-08 | 2023-11-01 | Google Llc | Secure computation using multi-party computation and a trusted execution environment |
IL292998B1 (en) * | 2022-05-13 | 2024-09-01 | Google Llc | Secure multi-party computation with attestation using a trusted execution environment |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2017179059A1 (en) * | 2016-04-14 | 2017-10-19 | B. G. Negev Technologies And Applications Ltd., At Ben-Gurion University | Self-stabilizing secure and heterogeneous systems |
Family Cites Families (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5825880A (en) * | 1994-01-13 | 1998-10-20 | Sudia; Frank W. | Multi-step digital signature method and system |
EP2678969A4 (en) * | 2011-02-22 | 2017-07-19 | Hewlett-Packard Enterprise Development LP | Digital signatures |
EP2905922A1 (en) * | 2014-02-10 | 2015-08-12 | Thomson Licensing | Signing method delivering a partial signature associated to a message, threshold signing method, signature verification method, and corresponding computer program and electronic devices |
KR101989943B1 (en) * | 2017-04-28 | 2019-06-17 | 삼성에스디에스 주식회사 | Apparatus and method for performing operation being secure against side channel attack |
US11362841B2 (en) * | 2018-07-06 | 2022-06-14 | Nec Corporation | Method and system for providing security in trusted execution environments |
-
2019
- 2019-06-27 US US16/454,136 patent/US11362841B2/en active Active
- 2019-07-01 EP EP19183659.2A patent/EP3591893B1/en active Active
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2017179059A1 (en) * | 2016-04-14 | 2017-10-19 | B. G. Negev Technologies And Applications Ltd., At Ben-Gurion University | Self-stabilizing secure and heterogeneous systems |
Non-Patent Citations (9)
Title |
---|
AHMAD MOGHIMI ET AL.: "CacheZoom: How {SGX} Amplifies the Power of Cache Attacks", CHES, 2017 |
ALEXANDRA BOLDYREVA: "Threshold Signatures, Multisignatures and Blind Signatures Based on the Gap-Diffie-Hellman-Group Signature Scheme", 2003, PUBLIC KEY CRYPTOGRAPHY |
BONEH ET AL.: "Short Signatures from the Weil Pairing", ASIACRYPT, 2001 |
GUOXING CHEN ET AL.: "SgxPectre Attacks: Stealing Intel Secrets from SGX Enclaves via Speculative Execution", CORR/ABS/1802.09085, 2018 |
IVAN DAMGARD ET AL.: "Multiparty Computation from Somewhat Homomorphic Encryption", CRYPTO, 2012 |
JIAN LIU ET AL: "Scalable Byzantine Consensus via Hardware-assisted Secret Sharing", ARXIV.ORG, CORNELL UNIVERSITY LIBRARY, 201 OLIN LIBRARY CORNELL UNIVERSITY ITHACA, NY 14853, 15 December 2016 (2016-12-15), XP080744551 * |
J-M BOHLI ET AL: "Security and Privacy-Enhancing Multicloud Architectures", IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, vol. 10, no. 4, 1 July 2013 (2013-07-01), US, pages 212 - 224, XP055621361, ISSN: 1545-5971, DOI: 10.1109/TDSC.2013.6 * |
MARCUS HAHNEL ET AL.: "High-Resolution Side Channels for Untrusted Operating Systems", USENIX ATC, 2017 |
PAUL KOCHER ET AL.: "Spectre Attacks: Exploiting Speculative Execution", CORR ABS/1801.01203, 2018 |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20220245237A1 (en) * | 2021-02-04 | 2022-08-04 | NEC Laboratories Europe GmbH | Clone application detection mechanism for securing trusted execution environments against a malicious operating system |
US11836244B2 (en) * | 2021-02-04 | 2023-12-05 | Nec Corporation | Clone application detection mechanism for securing trusted execution environments against a malicious operating system |
Also Published As
Publication number | Publication date |
---|---|
EP3591893B1 (en) | 2021-03-17 |
US20200014546A1 (en) | 2020-01-09 |
US11362841B2 (en) | 2022-06-14 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11362841B2 (en) | Method and system for providing security in trusted execution environments | |
US10785019B2 (en) | Data transmission method and apparatus | |
CN108199835B (en) | Multi-party combined private key decryption method | |
US11870891B2 (en) | Certificateless public key encryption using pairings | |
EP3091690A1 (en) | Rsa decryption using multiplicative secret sharing | |
US9571274B2 (en) | Key agreement protocol | |
CN109800584A (en) | A kind of identity or encryption attribute calculation method and system based on Intel SGX mechanism | |
CN109936456B (en) | Anti-quantum computation digital signature method and system based on private key pool | |
US20150222422A1 (en) | Systems and methods for faster public key encryption using the associated private key portion | |
US11888832B2 (en) | System and method to improve user authentication for enhanced security of cryptographically protected communication sessions | |
CA3178180A1 (en) | Constructing a distributed ledger transaction on a cold hardware wallet | |
Wu et al. | Poster: a certificateless proxy re-encryption scheme for cloud-based data sharing | |
Garg et al. | Comparison of asymmetric algorithms in cryptography | |
Khatarkar et al. | A survey and performance analysis of various RSA based encryption techniques | |
CN112380579A (en) | Lattice-based forward security certificateless digital signature scheme | |
US20220038267A1 (en) | Methods and devices for secured identity-based encryption systems with two trusted centers | |
US20160352689A1 (en) | Key agreement protocol | |
Zhang et al. | Robust and efficient password authenticated key agreement with user anonymity for session initiation protocol‐based communications | |
CN108055134B (en) | Collaborative computing method and system for elliptic curve point multiplication and pairing operation | |
US20240114025A1 (en) | Modification of device behavior for use in secure networking | |
Lakshmi et al. | Medical image encryption using enhanced Rivest Shamir adleman algorithm | |
Abd Zaid et al. | Lightweight RSA Algorithm Using Three Prime Numbers | |
Hsu et al. | A dynamic identity end-to-end authentication key exchange protocol for IoT environments | |
CN109951287B (en) | Anti-quantum computation signcryption method and system based on private key pool | |
Panwar | Asymmetric key cryptography |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION HAS BEEN PUBLISHED |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR |
|
AX | Request for extension of the european patent |
Extension state: BA ME |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE |
|
17P | Request for examination filed |
Effective date: 20200619 |
|
RBV | Designated contracting states (corrected) |
Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR |
|
GRAP | Despatch of communication of intention to grant a patent |
Free format text: ORIGINAL CODE: EPIDOSNIGR1 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: GRANT OF PATENT IS INTENDED |
|
INTG | Intention to grant announced |
Effective date: 20201215 |
|
GRAS | Grant fee paid |
Free format text: ORIGINAL CODE: EPIDOSNIGR3 |
|
GRAA | (expected) grant |
Free format text: ORIGINAL CODE: 0009210 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE PATENT HAS BEEN GRANTED |
|
AK | Designated contracting states |
Kind code of ref document: B1 Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR |
|
RAP1 | Party data changed (applicant data changed or rights of an application transferred) |
Owner name: NEC CORPORATION |
|
REG | Reference to a national code |
Ref country code: GB Ref legal event code: FG4D |
|
REG | Reference to a national code |
Ref country code: CH Ref legal event code: EP |
|
REG | Reference to a national code |
Ref country code: DE Ref legal event code: R096 Ref document number: 602019003215 Country of ref document: DE |
|
REG | Reference to a national code |
Ref country code: IE Ref legal event code: FG4D |
|
REG | Reference to a national code |
Ref country code: AT Ref legal event code: REF Ref document number: 1373276 Country of ref document: AT Kind code of ref document: T Effective date: 20210415 |
|
REG | Reference to a national code |
Ref country code: LT Ref legal event code: MG9D |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: NO Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20210617 Ref country code: BG Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20210617 Ref country code: HR Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20210317 Ref country code: GR Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20210618 Ref country code: FI Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20210317 |
|
REG | Reference to a national code |
Ref country code: AT Ref legal event code: MK05 Ref document number: 1373276 Country of ref document: AT Kind code of ref document: T Effective date: 20210317 |
|
REG | Reference to a national code |
Ref country code: NL Ref legal event code: MP Effective date: 20210317 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: SE Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20210317 Ref country code: RS Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20210317 Ref country code: LV Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20210317 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: NL Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20210317 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: CZ Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20210317 Ref country code: EE Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20210317 Ref country code: LT Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20210317 Ref country code: SM Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20210317 Ref country code: AT Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20210317 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: PL Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20210317 Ref country code: RO Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20210317 Ref country code: PT Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20210719 Ref country code: SK Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20210317 Ref country code: IS Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20210717 |
|
REG | Reference to a national code |
Ref country code: DE Ref legal event code: R097 Ref document number: 602019003215 Country of ref document: DE |
|
PLBE | No opposition filed within time limit |
Free format text: ORIGINAL CODE: 0009261 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: DK Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20210317 Ref country code: AL Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20210317 Ref country code: ES Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20210317 |
|
26N | No opposition filed |
Effective date: 20211220 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: SI Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20210317 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: MC Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20210317 |
|
REG | Reference to a national code |
Ref country code: BE Ref legal event code: MM Effective date: 20210731 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: IT Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20210317 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: IS Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20210717 Ref country code: LU Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20210701 Ref country code: FR Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20210731 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: IE Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20210701 Ref country code: BE Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20210731 |
|
REG | Reference to a national code |
Ref country code: CH Ref legal event code: PL |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: LI Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20220731 Ref country code: CH Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20220731 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: CY Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20210317 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: HU Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT; INVALID AB INITIO Effective date: 20190701 |
|
GBPC | Gb: european patent ceased through non-payment of renewal fee |
Effective date: 20230701 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: MK Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20210317 Ref country code: GB Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20230701 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: TR Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20210317 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: MT Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20210317 |
|
PGFP | Annual fee paid to national office [announced via postgrant information from national office to epo] |
Ref country code: DE Payment date: 20240719 Year of fee payment: 6 |